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Abstract. We propose and rigorously analyze two randomized algorithms to factor univariate poly¬ 
nomials over finite fields using rank 2 Drinfeld modules. The first algorithm estimates the degree of 
an irreducible factor of a polynomial from Euler-Poincare characteristics of random Drinfeld modules. 
Knowledge of a factor degree allows one to rapidly extract all factors of that degree. As a consequence, 
the problem of factoring polynomials over finite fields in time nearly linear in the degree is reduced to 
finding Euler-Poincare characteristics of random Drinfeld modules with high probability. The second 
algorithm is a random Drinfeld module analogue of Berlekamp’s algorithm. During the course of its 
analysis, we prove a new bound on degree distributions in factorization patterns of polynomials over 
finite fields in certain short intervals. 


1. Introduction 

1.1. Current State of the Art. Let F, denote the finite field with q elements and Fg[t] the polynomial 
ring in one indeterminate. The fastest known randomized algorithm for factorization in Fq[t] is the 
Kaltofen-Shoup algorithm |KS981 § 2] implemented by Kedlaya-Umans fast modular composition [K1J08) . 
It belongs in the Cantor-Zassenhaus |CZ81| framework and to factor a polynomial of degree n takes 

logg + nlog^ q) expected time by employing the following sequence of stepfi. The first is square 
free factorization where the polynomial in question is written as a product of square free polynomials. A 
square free polynomial is one that does not contain a square of an irreducible polynomial as a factor. The 
second step known as distinct degree factorization takes a monic square free polynomial and decomposes 
it into factors each of which is a product of irreducible polynomials of the same degree. The final step 
is equal degree factorization which splits a polynomial all of whose irreducible factors are of the same 
degree into irreducible factors. The bottleneck is distinct degree factorization and currently the difficulty 
appears to be in finding the factor degrees. Given the degree of a factor, one can extract all factors of 
that degree in O(nlog^ q) expected time |KU08| . 

1.2. Polynomial Factorization and Euler-Poincare Characteristic of Drinfeld Modules. We 

propose a novel procedure to read off the smallest factor degree of a monic square free polynomial 
h G Fq[t] from the Euler-Poincare characteristic x<l>,h of a random rank 2 Drinfeld module (j) reduced 
at h. The reduction of ^ at is a finite Fg[t]-module and its Euler-Poincare characteristic x<j>,h S Fq[t] 
(see Definition EH) is an Fg[t] valued cardinality measure. If h factors into monic irreducible factors as 
h = Pi, then X4>,h — Hi X<l>,Pi ■ ^ Drinfeld module analogue of Basse’s theorem for elliptic curves, due to 
Gekeler [Gek91| . asserts for each pi that X4>,Pi = Pi + Cci>,i for some G Fg[t] with deg(c 0 y) < deg(pi)/2. 
Hence, the leading coefficients of h and x<j>,h agree and the number of agreements reveals information 
about the degree of the smallest degree factor of /i. In § El we prove, 

The author was partially supported by NSF grant CCF 1423544. 

^The soft O notation suppresses and log°Pl q terms for ease of exposition. 
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Theorem 1.1. For n < y/qj^, the smallest faetor degree of a degree n square free h € can be 

inferred in Oijilogq) time from x<t>,h with probability at least 1/4 for a randomly chosen (f. 

Consider an algorithm B that takes a square free h G Fq[t] and a random Drinfeld module (j) as inputs 
such that with constant probability the output B{h^(j)) is x<t>,h- That is, is a montecarlo algorithm to 
compute Euler-Poincare characteristics. By choosing (f at random and invoking Theorem ll.il we establish 
that a non trivial factor can be found in nearly linear time with oracle access to B. 

Corollary 1.2. There exists an 0{nlog^ q) expected time algorithm (with oracle access to B) to find an 
irreducible factor of a square free polynomial h G Fq[t] of degree n < yfqj^ with only 0(1) queries to B, 
each of the form B{h). 

The requirement y/q > 2n in Theorem 11.11 and Corollary 11.21 is without loss of generality since if q were 
smaller, we could choose a small power q' of q that satisfies y/^ > 2n and obtain the factorization over 
Fq/[t] with the running time unchanged up to poly logarithmic factors in n (see Remark 13.21) . 

Given oracle access to B, obtaining the complete factorization by naively extracting one factor at a 
time using Corollarv ll. 21 leads to a 3/2 running time exponent on n. For instance, a polynomial of degree 
n with one irreducible factor each of degree 1, 2 ,3,..., m — 1, m where m = requires 0(n^/^) 

extractions. In [GNU15] . an algorithm to quickly obtain the complete factorization given a procedure 
to extract a non trivial factor as a subroutine is described. As a consequence, an algorithm for imple¬ 
menting B with exponent less than 3/2 would lead to a polynomial factorization algorithm with exponent 
less than 3/2. As an illustration, in § 13.21 we obtain the following corollary of Theorem 11.11 describing 
an implication of a nearly linear time algorithm for computing Euler-Poincare characteristic of random 
Drinfeld modules. 

Corollary 1.3. An implementation of the oracle function B that takes 0{nlog^^^^ q) expected time for 
inputs of degree n yields an 0(rAI^ log^^^^ cf) expected time polynomial factorization algorithm. 

We describe our first complete polynomial factorization algorithm by presenting an implementation of B. 
Assuming the matrix multiplication exponent w is 2, our implementation of B and hence the polynomial 
factorization algorithm both have running time exponent 3/2 in the input degree. A faster implemen¬ 
tation of B would break the 3/2 exponent barrier in polynomial factorization. Thus, the problem of 
computing Euler-Poincare characteristics of random Drinfeld modules warrants a thorough investigation. 
The problem is analogous to point counting on elliptic curves over finite fields and the question as to if 
there is a Drinfeld module analogue of Schoof’s algorithm |Sch95) is immediate. 

We next briefly sketch our implementation of B. The obvious procedure to compute X4>,h for a given 
a square free h G A and a rank 2 Drinfeld module (/, is to compute the characteristic polynomial of the 
(Fq linear) action on ¥q[t]/{h). However, the complexity of such generic linear algebraic techniques is 
equivalent to inverting square matrices of dimension deg{h). We devise a faster implementation of B by 
exploiting the fact that the input ^ to H is chosen at random. For q > 2deg(/i)‘^, which we may assume 
without loss of generality, we prove it is likely that the reduction of a random ^ at /i is a cyclic Fq[t]- 
module and further that X4>,h coincides with the order (that is, the monic generator of the annihilator) 
of a random element in (f reduced at h. Implementing B is thus reduced to the finding the order of a 
random element in a random Drinfeld module reduced at h with constant probability. In § 13.11 we 
solve the order finding problem by posing it as an instance of the automorphism projection problem of 
Kaltofen-Shoup |KS98j and thereby obtain an 0{n'A+^'>l'^ logg-I-n log^ q) expected time algorithm to find 
a factor. In §121 we describe how to obtain the complete factorization. 
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1.3. Drinfeld Module Analog of Berlekemp’s Algorithm. Our second algorithm is a randomized 
Drinfeld analogue of Berlekamp’s algorithm [Ber67] wherein Fq[t]-modules twisted by the Frobenius ac¬ 
tion is replaced with reductions of random rank-2 Drinfeld modules. It has the distinction of being the 
only polynomial factorization algorithm over finite fields that does not involve a quadratic residuosity 
like map. To factor h G Fg[t], Berlekamp’s algorithm proceeds by finding a basis for the Berlekamp 
subalgebra, which is the fixed space of the power Frobenius r acting on ¥q[t]/{h). Then (as in the 
Cantor-Zassenhaus |CZ81| variant) a random element /3 in the Berlekamp subalgebra is generated by 
taking a random Fg linear combination of the basis elements. When q is odd, with probability at least 
half, the greatest common divisor of h and a lift of — 1 is a non trivial factor of h. In place of 

the Fg[t]-module Fg[t]/(/i) and its Berlekamp subalgebra (which is the r — 1 torsion in ¥q[t]/{h)), our 
second algorithm works over a random Drinfeld module reduced at h and its torsion corresponding to 
low degree polynomials in the Drinfeld action. These low degree polynomials are precisely the low degree 
factors of X4’,h- In terms of implementation, the algorithm closely resembles the fast black-box algorithm 
of Kaltofen-Shoup |KS98l § 3] and shares its logg -I- nlog^ q) expected running time. 


Our analysis of the Drinfeld analogue of Berlekamp’s algorithm relies on bounds on the degree dis¬ 
tribution of factorization patterns of polynomials in short intervals in Fg[t]. We prove the required 
bounds, but only when q is very large compared to n. When q is not large enough, the claimed running 
times hold under a widely believed conjecture (see Conjecture 14.2p and a slower running time bound is 
proven unconditionally (see Remark 15.3p . We next state the bounds for large q since they might be of 
independent interest. 


1.4. Factorization Patterns of Polynomials in Short Intervals. For a partition A of a positive 
integer d, let P(A) denote the fraction of permutations on d letters whose cycle decompositions correspond 
to A. When q is large enough compared to d, a random polynomial in Fg[t] of degree d has a factorization 
pattern corresponding to a partition A of d with probability about P(A) fCoh| . In §11 we prove that the 
degree distribution of a random polynomial in the interval T/,m := {/ + a,\a G Fg[t], deg(a) < m} around 
/ G Fg[t] is not far from the degree distribution of a random polynomial of degree d. 


Theorem 1.4. For every f G Fg[t] of degree d bounded by logq > 3d log d, for every m > 2 and for every 
partition A of d, 


1 - 




P(A) < < ("i + ± 

\^f,m I \ i/g 


P(A) 


where Xg denotes the partition of deg{g) induced by the degrees of the irreducible factors of g. 


1.5. Related Work. Our algorithms draw inspiration from Lenstra’s elliptic curve integer factorization 
[Len87] where the role of multiplicative groups modulo primes in Pollard’s p — 1 algorithm [Pol74) was 
recast with the group of rational points on random Elliptic curves modulo primes. Our first algorithm 
for degree estimation using Euler-Poincare characteristic is a random Drinfeld module analogue of an 
algorithm described in the author’s Ph.D thesis [Narl41 Chap 7] using Carlitz modules. To our knowledge, 
the use of Drinfeld modules to factor polynomials over finite fields originated with Panchishkin and 
Potemine [PP89] whose algorithm was rediscovered by van der Heiden [vdHOd) (see also [ydBOd-l] !. Our 
Drinfeld module analogue of Berlekamp’s algorithm shares some similarities with the algorithm in [vdHOdj 
but they differ in the following aspects. In contrast to our algorithm, the algorithm in [vdH04] only works 
for equal degree factorization and targets torsion corresponding to large degree polynomials to aid in the 
splitting; resulting in a slower running time. Further, its analysis was merely supported by heuristics. 
Using Theorem 11.41 and Lemma 12.31 the proof of Lemma [5.21 can be extended to rigorously analyze the 
algorithm in [vdH04] for large q when restricted to rank 2 Drinfeld modules. 
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1.6. Organization. The analysis of our algorithms rely critically on the distribution of the character¬ 
istic polynomial (of the Frobenius endomorphism in the representation of the endomorphism ring) of a 
random rank 2 Drinfeld module (on its £-adic Tate modules). In § [2l we prove Lemma 12..11 the required 
equidistribution lemma on the aforementioned characteristic polynomial. We begin §[2]by recounting the 
theory of rank 2 Drinfeld modules followed by § 12.11 where the structure of rank 2 Drinfeld modules in 
terms of its characteristic polynomial is described. In § 12.21 we state a weighted class number formula for 
isomorphism classes of Drinfeld modules with a given characteristic polynomial (due to Gekeler |Gek08] l 
and from it derive Lemma [231 Gekeler’s weighted class number formula is obtained through complex 
multiplication theory, that is, a correspondence between isomorphism classes of Drinfeld modules and 
Gauss class numbers in certain imaginary quadratic orders. While they hold in even characteristic, for 
ease of exposition, we assume in § 12.21 and consequently in the analysis of our algorithms that q is odd. 
In § |3l we state and analyze our first algorithm, namely to estimate factor degrees by computing Euler- 
Poincare characteristic and prove Theorem 11.11 and Corollaries 11.21 and 11.31 Theorem 11.41 concerning 
factorization patterns of polynomials in short intervals is proven in § |4l which can be read independent 
of the rest of the paper. The Drinfeld analogue of Berlekamp’s algorithm is described and analyzed in §|5l 

A remarkable feature of our algorithms and reductions is that we address the factorization of a square 
free h — HiP* ^ by looking at X 4 >,h — Hi X</>,Pi for random (j). We may view x<l>,h as a perturbation 
of h, since X4i,Pi is the irreducible factor pi of h perturbed within a half degree (of pi) interval. These 
intervals widen with Drinfeld modules of increasing rank. Theorem 11.41 and Lemma 12.31 together imply 
that even for rank 2 , the intervals are large enough for X4>,Pi fo exhibit random factorization patterns. 
This allowed us to pose the worst case complexity of polynomial factorization in terms of an average 
complexity statement (Corollarv ll.3|) concerning Drinfeld modules. It would be interesting to see if this 
perturbation leads to worst case to average case reductions for other multiplicative problems. 

2. Finite Rank-2 Drinfeld Modules 

Let A = Fq[t] denote the polynomial ring in the indeterminate t and let K he a, field with a non zero ring 
homomorphism 7 : A —>■ AT. Necessarily, K contains as a subfield. Fix an algebraic closure K oi K 
and let T : A" — > K denote the 9 *^ power Frobenius endomorphism. The ring of endomorphisms of the 
additive group scheme Ga over K can be identified with the skew polynomial ring AT(r) where r satisfies 
the commutation rule Vu S K,tu = u'^t. A rank-2 Drinfeld module over AT is (the A-module structure 
on Ga given by) a ring homomorphism 

(j) : A — > K{t) 

1 1—)■ 7(t) -I- g^T + A^t'^ 

for some £ K and G . For a £ A, let (j)a denote the image of a under (j). We will concern 
ourselves primarily with rank 2 Drinfeld modules and unless otherwise noted, a Drinfeld module will 
mean a rank 2 Drinfeld module. 

To every A-algebra L over K, the Drinfeld module (j) endows a new A-module structure (which, we 
denote by 4>{L)) through the A-action 

V/GL,VaeA,a*/= </.,(/). 

For every A-algebra homomorphism p : L —> L,'ia £ A and V/ £ L, p{4){f)) = 4>{p{f)). Thus p, when 
thought of as a map from ^(A) —> is an A-module homomorphism. For every direct product 

L X L' oi A-algebras over K, we hence have the corresponding direct sum of A-modules 

^(AxL')^(^(A)©(^(L'). 
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Henceforth, we restrict our attention to Drinfeld modules (p : A — ¥g{t) over Fq(t) (with j : A ^ ¥g{t) 
being the inclusion (identity map), € A and and their reductions. 

For a proper ideal f C A, let Ff denote H/f. For a prime ideal p C H, if is non zero modulo p, 
then the reduction p/p := (j)(g)¥p of at p is defined through the ring homomorphism 

p/p-.A —)> Fp(t) 

1 1 —>• t + (<70 mod p)r + (A^ mod p)t^ 

and the image oi a € A under p/p is denoted by {(j)/p)a. Even if A^ is zero modulo p, one can still obtain 
the reduction {(p/p) of ^ at p through minimal models of (p (c.f. |Gek91] l. We refrain from addressing 
this case since our algorithms do not require it. 

As before, the Drinfeld module (p/p endows a new A-module structure (denoted by (^/p)(L)) to ev¬ 
ery A-algebra L over the algebraic closure of Fp through the A-action 

yf e L,yae A,a* f = {<p/p)a{f) 

and for every direct product L x L' oi A-algebras over the algebraic closure of Fp, 

{P/p){LxL')^Wp)iL)(BWp)iL'). 

Further, for every A-algebra L over the algebraic closure of Fp, (p{L) = {p/p){L). 

Define the annihilator Ann{L) of a finite A-module L to be the monic generator of the annihilator 
ideal {a £ A\aL = 0} of L. Define the A-order Ord(a) of an element a in a finite A-module L to be 
the monic generator of the annihilator ideal {a £ A|aa = 0} of a. For / £ A, denote by (/) the ideal 
generated by / and by deg(/) the degree of /. For a non zero ideal f C A, let deg(f) denote the degree 
of its monic generator. For /, g £ A, by gcd(/, g) we mean the monic generator of the ideal generated by 
/ and g. 

Definition 2.1. Following |Gek91) . the Euler-Poincare characteristic of a finite A-module L is defined 
as the unique monic polynomial x(^) ^ ^ such that 

(1) If L = A/p for a prime ideal p C A, then (x(A)) = Pi 

(2) If 0 —^ Li —^ L —>• L 2 —!> 0 is exact, then x(A) = x(-^i)x(-^ 2 )- 

The above definition is a minor departure from [Gek91] . where x(^) ’"^as defined as an ideal, not a monic 
generator. For a non zero ideal f C A and a Drinfeld module p, let x^.f denote x('(>(Ff)). By definition, 
Ann{p{¥p) divides x^.f- 

2.1. Probenius Distributions and the Structure of Rank 2 Drinfeld Modules. In this subsection, 
we recount the characterization of the A-module structure of reductions of Drinfeld modules at primes 
due to Gekeler. Unless stated otherwise, proofs of claims made here are in |Gek91] . For Drinfeld modules 
(/, Ip with reduction at a prime p C A, a /x £ Fp (r) such that 

Va £ A, fJ.{p/p)a = {'P/p)ad 

is called as a morphism from p/p to 'p/p. Let Endw^{p) denote the endomorphism ring of p/p. The 
Frobenius at p, is in Endw^{p) and there exists a polynomial 

P^,piX) = A" - 00,pA + &0,p £ A[A] 

(called the characteristic polynomial of the Frobenius at p) such that F 0 ,p(t‘^®®*^p^) = 0 in End^^ {p). The 
polynomial P^ p is called as the characteristic polynomial because it is the characteristic polynomial of 
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T-'ieg(p) representations of Endp^ {(j)) on the £-adic Tate modules for prime ideals i C A. 

Furthermore, a rank-2 Drinfeld module analogue of Hasse’s theorem for elliptic curves states that 

(& 0 .p) = P , deg(a 0 ,p) < deg(p)/2. 

To be precise, the coefficient where p is the monic generator of p and 

where A/fp/f, is the norm from Fp to F^. As in the elliptic curve case, a^^p is referred to as the Frobenius 
trace; a consequence of the aforementioned connection to Tate modules. Since acts as the identity 

on ^i)(Fp), P 0 ,p(l) kills ^f)(Fp) (that is, {(j)/p)p^ is the zero element in Endw^icj)))- In fact, 

(X0,p) = (AV,p(1)) X<t>,p — P ~ (®</i,p ~ l)/£0,p- 

As a consequence of (p being of rank 2, (/>(Fp) is either a cyclic A-module or a direct sum of two cyclic 
A-modules. That is, there exists monic polynomials m^ p,n^^p G A (not necessarily relatively prime) 
such that as A-modules 

4>{¥p) = A/(to0,p) © A/(m0,pn0,p). 

In particular, 

X0.P =P - (a^.p - l)/e0.p = 'iTT‘l,pn^,p , Ann{(j){¥p)) = lcm{m^^p,m^^pn^^p) = m^^pn^^p. 

Further still, when q is odd, m^^p and n^^p are completely determined by P^^p and a precise characteri¬ 
zation of m^^p and n^^p in terms of a^^p and e^^p is described by Cojocaru and Papikian |CP141 Cor3]. 

Seeing that the characteristic polynomial completely determines the A-module structure of a Drinfeld 
module reduced at a prime p, the question as to which polynomials can arise as such characteristic poly¬ 
nomials is immediate and is addressed in [Dri 77], |Cek91) and [Yu95] . Yu [Yu95] relates the number of 
isomorphism classes of Drinfeld modules {(p/p) with a given characteristic polynomial — aX + ep to 
class numbers of orders in imaginary quadratic extensions over K. This relation arises from a theory that 
bears likeness to the complex multiplication theory of elliptic curves. Gekeler [GekOSj using the complex 
multiplication theory proved a precise characterization of the number of isomorphism classes of Drinfeld 
modules {p/p) with a given characteristic polynomial X^ — aX + ep. Gekeler’s characterization implies 
a certain equidistribution of the probability of X^ — aX + ep being P^^p for a randomly chosen p and is 
discussed in the subsequent subsection. 

2.2. Frobenius Distributions of Rank 2 Drinfeld Modules. Let p C A be a prime of degree d and 
let p be its monic generator. Analysis of our algorithms will involve counting Drinfeld modules (p/p) with 
characteristic polynomial Prj,^p{X) = — aX + ep for a given e £ F^ and a £ A of degree at most d/2. 

Such precise counts were proven by Gekeler [GekOSj by building on the connection between isomorphism 
classes of Drinfeld modules over Fp and class numbers of imaginary quadratic orders established by Yu 
[Yu95| . We begin the section by stating the result of Gekeler in equation |2A] and later prove lemmas that 
will find use in the analysis of our algorithms. 

We identify a Drinfeld module {p/p) with the tuple (g,^ mod p, mod p). The number of Drinfeld 
modules {p/p) is |Fp||Fp | since we get to pick mod p from Fp and A,^ mod p from Fp . Two Drinfeld 
modules {p/p) and (V'/p) are isomorphic over Fp if and only if there is a c £ Fp such that 
mod p and mod p. 

As a consequence, the automorphism group Aut^^ (p) depends on if g^f, mod p = 0. If g^ mod p = 0 and 
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if further Fp contains a quadratic extension (call Fq 2 ) of F^, then Autp^{(j)) = F^j- Else, Autf^{(j)) = F^. 
The former case Aut^^ {(f>) = F ^2 corresponds to (j) having complex multiplication by Fq 2 [t] and is rare. 


For e S F^ and a G A not necessarily monic and of degree at most deg(p)/2, denote by H{a,e,p) a 
set of representatives of isomorphism classes of Drinfeld modules {4>/p) with P^^p{X) = X'^ — aX + ep. 
Define 


h*{a,e,p) := 


^Autf (</>) 

i4>/P)eH{a,e,p) 


which might be thought of as a weighted count of the isomorphism classes of Drinfeld modules with 
P^^p{X) = X"^ — aX + ep where the weight [q — 1)/Aut¥^{(j)) is 1 except in rare cases. We next describe 
the connection between class numbers of certain imaginary quadratic orders and h*{a, e, p). 


Fix an e G Fg and an a G A of degree at most deg(p)/2. Let C be the A-algebra generated by a 
root of X'^ — aX + ep and let E be the quotient field of C. It turns out that E is an imaginary quadratic 
extension of k. 


Yu [Yu95] proved that two Drinfeld modules are isogenous if and only if they have the same charac¬ 
teristic polynomial and further established that the number of isomorphism classes of Drinfeld modules 
with characteristic polynomial X^ — aX -\- ep equals the Gauss class number of C. This connection is 
analogous to a similar statement concerning elliptic curves due to Deuring [Deu41] . Further, the weighted 
count h*{a,e,p) equals a certain appropriately weighted Gauss class number of C which was explicitly 
computed by Gekeler [Gek08] using an analytic class number formula. We next summarize this result of 
Gekeler assuming for ease of exposition that F^ is of odd characteristic throughout this section. 

Let B be the integral closure of A in E. Let D denote the discriminant — 4ep and / the largest 
monic square factor of D. Let Dq = D/f. Then C = A + fB. 

Let ^ denote the Dirichlet character associated with E and for 5ft(s) > 1 define the L-function 

L{s,x)--= n 

£. prime of k 

The unique prime at infinity oo is ramified in E/k if deg(Do) is odd and is inert if deg(Do) is even. Let 
T] denote the ramification index of oo in E/k (that is, ?? = 2 if deg(Do) is odd and ry = 1 otherwise). Let 
g denote the genus of the algebraic curve associated with E. Then 

h*{a,e,p)=m^S{f)L{l,0 

where 

S{f) :=^|Fp|n(l-?W|Fd-')- 
fif e\r 

Here f C H is the ideal generated by /, the summation is over proper ideals f dividing f and the product 
is over prime ideals i dividing f . When f is not H, we have 

S{f) > |Fy|. 


The conductor cond{^) of ^ is 


cond{C) 


(Dq) if deg (Do) is even 

(Do).oo if deg(Do) is odd 
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But for a couple of exceptional cases, the genus g is determined by cond{^) as 


g = deg(cond(^))/2 - 1. 


The inequality I2.1l we arrive at for h*{a, e, p) will be accurate in those exceptional cases as well. Thus we 
refrain from mentioning the exceptional cases referring instead the interested reader to [GekOS] . Thus 


and 


In summary, 

( 2 . 1 ) 


^deg(Do)/ 2 -i jf deg(i:>o) is even 
gdeg(^o)/ 2 -i /2 if deg(i:>o) is odd 


IFil^s 


gdeg(D)/ 2 -i if deg(i:)) is even 
gdeg(£>)/ 2 -i /2 if deg{D) is odd. 


h*{a,e,p) > 


^9deg(^)/2L(l,5) 


if deg (I?) is even 
if deg(I?) is odd 


Lemma 2.2. Let p G A be a prime ideal and p its monic generator. For every S C {(a, e) G A x 
I deg(a2 - 4ep) = deg(p)}, 


„ , if deg{p) is even 

“ \2|S'|A/py(l - ii/deg(p) zs odd. 


Proof. We first lower bound L(l,^) for a ^ corresponding to an arbitrary (a, e). 




1 

(l-C(oo)|oo|-l) 


n 

£ prime of A 




> n (i-cwKr')”' 

£ prime of A 

since ^(oo) G {0,1} and |oo| = q. From Weil’s proof of the Riemann hypothesis for curves over finite 
fields, there exists Wi G C with |wi| = y/q such that 


£ prime of A 


deg(confZ(^)) — 1 


n 

i=l 




Since deg(cond(^)) — 1 < deg(p). 


deg (cond (^)) —1 


n 

i=l 


1 - 


Wi 


> 1 


lyeg(p)^^ degp 

vqJ ~ 


For all (a, e) G S, since deg(a^ — 4ep) = deg(p), inequality 12.11 implies 


^*(a>e,p)> 

(a,e)GS 




if deg(p) is even 
if deg(p) is odd. 


□ 
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Lemma 2.3. Let p (Z A be a prime ideal and p its manic generator. For every S C {(a, e) G Ay. 
F^|deg(a^ — 4ep) = deg(p)}, the number of Drinfeld modules ((j)/p) overWp with € S is lower 

hounded by 


\{{(j)/p)\{a^,p,e^^p) e S}\ > 


|Fp^ 11*51 vW(l-^)/(9(9-l)) 

2|Fp"||5|vW(l - 1 )) 


j/deg(p) is even 
if deg{p) is odd. 


Proof. Fix an S' C {(a, e) S A x F^ | deg(a^ — dep) = deg(p)}. 


\{{(j)/p)\{a^,p,e^,p) e S}\ 


E E 

(a,e)GS (0/p)Gi/(a,e,p) 


Autw^ {(f) 


Applying Lemma we get 

|{(</>/p)l(a 0 .p,e 0 .p) e S}\ > 



(a,e)GS 


|Fp^l|5|vW(l-^)/(9(9-l)) 
2 |Fp"||S|vW(l - ^)/(y9('7- 1)) 


if deg(p) is even 
if deg(p) is odd. 


□ 


3. Degree Estimation and Euler-Poincare Characteristic of Drinfeld Modules 

Henceforth, let h G A denote the monic square free reducible polynomial whose factorization h = pi 
into monic irreducible polynomials pi € A we seek. By the Chinese reminder theorem, Fp = 
where f) and p^s are the principal ideals generated by h and the piS respectively. We next present a novel 
algorithm to compute the degree (call Sh) of the smallest degree factor of h using Drinfeld modules. 


For a Drinfeld module (f that has reduction at each prime dividing t), 

<^(F,) - 00(Fpj - 0(0/p.)(Fpj ^ X0.I,==n (.Pi - {H.pi 

i i i i 


Since Vi, deg((a 0 ,p, - l)/e 0 ,pj < deg(pi)/2. 


l)/£(/i,pi) • 


In fact, 


^ - X0.f) = E 

i:deg(pi)=Sfe 


X<i>.f) = h + terms of smaller degree. 

1 




■W_Pj + {terms of degree < (deg([}) - \sh/2'\)) 




deg(h - < deg(h) - \shl2\. 

When (j) is chosen at random, the equidistribution theorem of Gekeler suggests, with high probability, 


deg 


E 

i j:deg(pj)=Sh 




- 1 




n 


Pj 


= deg(/i) - |■s;l/ 2 ] deg(h - x^p.h) = deg(/i) - \sh/2'] 


leading to the following algorithm to compute Sh- 

Algorithm 3.1. 

Input : Monic square free reducible polynomial h £ A of degree n. 
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(1) Choose a Drinfeld module (j) by picking g^j, & A and G each of degree less than deg{h) 
independently and uniformly at random. 

(2) //gcd(A^, h) ^ 1, output it as a factor. Else (f has reduction at primes dividing () and we proceed. 

(3) Compute 

(4) Output: n - deg{h - 

The running time of the algorithm is dominated by step (3). One way to compute x<P,t) is as the charac¬ 
teristic polynomial of (ft viewed as a linear transformation on F(,. Computing characteristic polynomials 
of linear transformations over finite fields can be performed in polynomial time [StoOlj . 


The output is at least |" Sh /2]. We prove in the ensuing lemma that when q is large enough compared 
to n, the output is |"s/i/2] with probability at least 1/4. We are thus ensured of finding \sh/2\ with 
probability 1 — (5 with only 0(log(l/i5)) repetitions of the algorithm. From \sh/2\, we infer that st is 
either 2\sh/2\ — 1 or 2|'s;i/2]. We can test which one is correct by checking if gcd{C — t,h) is non 
trivial and further extract the product of factors of degree Sh. 

Remark 3.2. In the analysis of our algorithms, we may assume without loss of generality that q > cin‘^^ 
for some absolute positive constants Ci and C 2 . li q were smaller, we could choose the smallest prime c 
that satisfies q^ > Ciu'^^ and obtain the factorization in with the running time unchanged up to 

polylogarithmic factors in n. Factors of h irreducible over F^ and of degree prime to c remain irreducible 
over Fgc. Factors of h that are irreducible over F, of degree (say d) divisible by c will split into c 
distinct irreducible factors over F^c. From the factorization over F^c thus obtained, express h as h = 
n* rid hd where hi € F, [t] are irreducible factors that remained irreducible over F^c and hd € Fgc [t] 
is the product of all irreducible factors of h in F 5 c[t] (but not in ¥q[t]) of degree d/c. In fact, hd is the 
product of all Fg[t] irreducible factors of h of degree d and hence hd G Fg[t]. We may perform equal 
degree factorization on hd to obtain all Fg[t] irreducible degree d factors of h. Since c is bounded by 
an absolute constant, the post processing steps after obtaining the factorization over Fgc take at most 
0 (n^+°(^^(log9)^+°(^) -I-n(logg)^+°(^)) expected time. 

Lemma 3.3. If q is odd and ^/q > 2n, alaorithm \3.1\ outvuts \sh/2'\ with probability at least 1/4. 

Proof. For the output deg{h) — deg{h — x<l>,t)) of algorithm 13.II to be [ 5 / 1 / 2 ], it suffices for 


deg 


E 

k j:deg(pi)=Sh 


1 


= deg(h) - [sd/ 2 ] 




to hold. Since pi are all monic, this is equivalent to 
^3 ^ H,Pi,V»h/A 


i:deg(pi)=s,. 




7^0 


where a^^p^^Ysh/ 2 \ G denotes the coefficient of the a^.p^- 


Fix a factor pj of f) of degree Sh- 


Since g^ £ A and G A^ are each chosen of degree less than deg{h) independently and uniformly at 
random (with gcd(A 0 , h) = 1), by the Chinese remainder theorem, the tuple {{g^ mod pi, A^ mod p/)}/ 
is distributed uniformly in ni(®'pi ^ ®'pi)- 
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In particular, Vi j, and are independent and 

°<^.PLL«h/2j I Y °-4>,p^,VsH/2\ p^f a<j>,Pj,[^h/2l ^ g 

V:deg(pi)=Sh ^<I’-P' j ggF, ^ yLdeg(pi)=Sfe ,15^:/ / ^’P.P] 

(3.2) ^Pr( y ^^■P.ds./2J ^ qV ^.^p^ f H,P.A^./2i ^ _ 

V:degir)=.. ^ 

Fix a 0 G Fq and let 

Se ■■= {(a,e) G A x F^| deg(a^ - Aepj) = deg{pj),ais,,/ 2 ]/e 7 ^ 0} 
where ayg^/ 2 \ G F^ denotes the coefficient of the tLsh/2j term in a. 


We next count elements in Sg to lower bound its size. The condition deg(a^ — dep^) = deg(pj) implies that 
we are only allowed to pick a G A of degree at most deg(pj)/2. If deg(pj) is odd, deg(a^ —4epj) = deg(pj) 
is always satisfied for every a G A of degree at most deg(pj)/2. To pick an element in Sg^ but for the 
coefficient a[s;./ 2 j, we may choose the coefficients of a G A arbitrarily of degree at most deg(pj)/2 and 
arbitrarily choose e G F^. For each such choice, to satisfy deg(a^ — depj) = deg(pj) and aYs^/ 2 \/e ^ 0, 
we need to exclude at most two choices for aYs^/ 2 \ if deg(pj) is even and at most one choice if deg(pj) is 
odd. Thus 


\S0\> 


(g-2)vlF^g 


if deg(pj ) is even 
if deg(pj) is odd. 


Applying Lemma E751 for Sg, we get 


|{(</>M)IKp„e,^.P,)e^4|> (i 

Thus, for fyg > 2deg(h) > 2deg(pj), 

,, flj > (i _ j ('i 


g-i; - 4 


and by equation 13.21 the lemma follows. 


□ 


Proof of Theorem II. II and Corollary 1 1.21 Theorem ll.ll follows from the proof of correctness (Lemma 
13.31) of Algorithm 13.11 Corollary 11.21 follows by considering lines one and three in algorithm 13.11 to be 
performed by the black box B in Corollary 11.21 The case gcd{A^,h) ^ 1 for a random (j) is unlikely to 
happen and hence step 2 of algorithm 13.II may be ignored in the reduction. 


When q is large enough (say q > 2deg(/i)'^), it is likely for a randomly chosen (j) that (/)(F(,) is a cyclic 
A-module. Further, for a random a G ' 5 i(F(,), it is likely that Ord{a) = Ann{cj){¥t^)). Since (/'(Ff,) being 
cyclic implies X4>,t) = Ann(0(F[,)), it is likely that Ord{a) = Thus, instead of computing XrpA 

in Algorithm 13.11 we could compute Ord{a) for a random a G </>(F[,) and be assured that the output 
deg(/i) — deg(h — Ord(a)) likely is |’s/i/2]. 

Algorithm 3.4. 

Input : Monic square free reducible polynomial h £ A of degree n. 

(1) Choose a Drinfeld module (j) by picking g^ £ A and £ A^ each of degree less than deg{h) 
independently and uniformly at random. 
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(2) //gcd(A^, h) ^ 1, output it as a factor. Else (j) has reduction at primes dividing f) and we proceed. 

(3) Choose a € at random and compute Ord{a) with constant probability. 

(4) If deg{Ord{a)) = deg{h), Output: n — deg{h — Ord{a)). 

Every step except for (3) can be performed in O(nlogg) time. In § 13.11 we show that the order of 
an element in ^!>(Ff|) (and hence step (3)) can be computed with probability arbitrarily close to 1 in 
q(j.^(i+w )/2 _|_ Q(x)(log +n^+°(^l(log expected time. In the subsequent lemma, we prove a 

lower bound on the probability that reductions of Drinfeld modules are cyclic and use it in Theorem 13.61 
to prove that Algorithm [T4] outputs Sh with constant probability. Consequently, we have an + 

o(l)(log+ n^+°(^)(log(?)^+°^^^) expected time algorithm to extract a non trivial factor. 


Lemma 3.5. For odd q, for every prime ideal p d A, the probability that <^(Fp) is a cyclic A-module for 
a randomly chosen (j)/p is at least ^1 — ‘^‘^ 2 ( 9 ^)^^ ) ■ 

Proof. Let p C A be a prime ideal and p its monic generator. Cojocaru and Papikian |CP141 Cor 3] 
determined the following precise characterization of the A-module structure of finite Drinfeld modules 
when ¥q is of odd characteristic. For a Drinfeld module (f with reduction at p, let f^^p G A denote the 
largest monic square factor of the discriminant p — de^^pp of P 0 ,p. As A-modules 

0(Fp) ^ A/(to,^,p) © A/(TO,^,pn,^,p) 


where 


'm<p,p = gcd(/0,p,a,^,p - 2). 

In particular, ^(Fp) is A-cyclic if and only if gcd{f^^p,a^^p — 2) = I. Let 

Sp := {(o, e) G A X F^ I deg(a^ - 4ep) = deg(p), gcd(a^ - 4ep, a - 2) = I}. 

We next estimate the size of Sp. An element in Sp can be chosen as follows. Pick o G A arbitrarily of 
degree at most deg(p)/2. For such a chosen a, to satisfy gcd(a^ — 4ep, a — 2) = 1, pick e such that for 
all monic irreducible polynomials I dividing a — 2, of — dep ^ 0 mod 1. For a fixed monic irreducible 
I dividing a — 2, there is at most one e G F^ such that of — dep = 0 mod £ for if there were two, then 
that would imply £ divides p which contradicts the fact that p is irreducible and of degree higher than 
£. Thus, for a chosen a, to ensure of — dep and a — 2 are relatively prime, we need to exclude at most 
deg(p)/2 values for e. When deg(p) is even, for a chosen a, to ensure deg(a^ — dep) = deg(p), we need to 
exclude at most one choice for e. 


^ 1 ^ I > 1 (9 - 2 - deg(p)/2)y'|FpJg if deg(p) is even 

'' “ [(<7 - I - deg(p)/ 2 )y^|FpJyg if deg(p) is odd. 

Applying Lemma E751 for Sp, we get 

\{Wp)\{a^,p,e^,p) G .5p}| > (^i- deg(pHl/2 ^ 

Thus 4>(¥p) is A-cyclic with probability at least ^1 — ■ 


□ 


Theorem 3.6. There exists a positive constant c such that for q odd and at least 2n^, algorithm \3.4\ 
outputs |"s?t/ 2 ] with probability at least c. 


Proof. Assume q is odd and q > 2n‘^. For a choice of a and (f made in algorithm 13.41 if the following 
three conditions hold, then clearly the output is \sh/‘2\. 

• Ord(a) = Ann{(j)(¥ f^)), 

• Ann{(j){¥ t,)) = 
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• deg{h) - deg{h - X 0 ,(,) = \shl‘^. 

For a fixed (j) and a random a S from the A-module decomposition of into invariant factors, 

we infer that Ord{a) = Ann{4){¥^^)) with probability at least 

|{a€ A|deg(o) < deg(Ann((/)(Fu))),gcd(a,Ann((/>(F„))) = 1}| ^ i/oWeg(/i) > ^ _ deef/il/o > - 

gdeg(Ann(^{F(,))) — ^ — &\ ) i H — 

The last inequality is a consequence of g > 2deg(/i)^. If (/)(F(,) is a cyclic A-module, then by definition 
X 4 >,[] = Ann{4){¥i^)). Hence, to claim the theorem, it suffices to prove that for a Drinfeld module (j) chosen 
at random as in algorithm l3.41 the following two conditions hold with constant probability 

• ^i(F[,) is a cyclic H-module, 

• deg(/i) - deg(/i - x<p,f)) = \sh/‘^^ ■ 

The proof proceeds by induction on the factors of h. Let m denote the number of irreducible fac¬ 
tors of h. Without loss of generality relabel the irreducible factors of h such that h = where 

deg(pi) > deg(p 2 ) > • ■ • > deg{pm)- In particular, deg(prn) = Sh- Let hi := 0^=1 Pj and ()i := (hi). 

Induction Hypothesis: For i <m, assume </>(F[, J is a cyclic H-module with probability at least ^1 — 

The initial case f = 1 of the induction hypothesis (that is, [}i is prime), follows from Lemma 13.51 

We next lower bound the probability that (^(Ff,) (= (^(Ff,^)) is H-cyclic and deg(/i) — deg(h — X4’,f))) = 
[ 5 / 1 / 2 ] conditioned on </(F;i^_j) being H-cyclic. Since £ A and £ A^ are each chosen of degree less 
than deg(h) independently and uniformly at random (with gcd(A 0 ,/i) = 1), by the Chinese remainder 
theorem, the tuple {{g^ mod pi, A^ mod pi)}i is distributed uniformly in ni(®'pi ^ la particu¬ 
lar, (a 0 ,p„, is independent of the structure of 0(F(,^_j). Consequently, instead of conditioning on 

/>(]Fhm-i) being H-cyclic, we fix a tuple 

ig^ mod pi, A^ mod p^) 

i<m 

such that '/(Fi,^_j) is H-cyclic. In particular, X<t>Am-i is fixed. In the remainder of the proof, the only 
randomness in (/ comes from choosing [g^ mod p^j A^ mod p^) uniformly at random from Fp^ x Fp^. 

As reasoned in the proof of Lemma [3^ for deg{h) — deg{h — x<j>,t}) fo be [ 3 / 1 / 2 ], it suffices for 
(3.3) ^ (a<^,Pi,[si,/ 2 j/e^.pi) 0 

i:deg(pi)=Sfc 

to hold where a^^p.^\^sh/ 2 ] S F, denotes the coefficient of the tLs;./ 2 j term in a^^p^. 

Since Vf ^ j, {g^ mod pi, A^ mod pi) is fixed, 

^ (® 0 ,Pi.Lsh/ 2 j/e 0 .Pi) 

i:deg(pi)=Sh,i 7 ^m 

is fixed. Clearly equation 13.31 holds if and only if (a(ji,p^,[sh/ 2 j/e 0 ,Pm) 

Since (/>(Ft„_J is A-cyclic, if 0(Fp^) is A-cyclic and X(/>.Pm i® relative prime to x^.hm-D Iben ^i)(F|,) 
is A-cyclic. Thus, to ensure (/(Fi,) is A-cyclic, it suffices if gcd(pm — (a^.pm ~ l)e 0 .Pm) = 1 and 
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gcd(a 0 — 4 e 0 ^p^Prn, — 2) = 1. The argument as to why is identical to the discussion in the proof 
of Lemma 1^31 

For a € A, denote by a|^s^/ 2 j G the coefficient of tLsfc/ 2 j jjp j'q summarize, the set Sp^ of tu¬ 
ples (a, e) £ A X Fg that satisfy the four conditions 

(i) deg(a 2 - 4epm) = deg(pm), 

(ii) ais^/2] 7^ Oe, 

(hi) gcd(ep™ - (a - 1), = 1, 

(iv) gcd(a^ - 4epm, a - 2) = 1, 

has the property that if (a^^p^, £ Sp^ then (()(F(,) is A-cyclic and deg{h) — deg{h — = \sh/‘^- 

We estimate a lower bound on the size of Sp^ by choosing a G A arbitrarily of degree at most deg(pm)/2 
and for each choice of a, picking only those e such that the four conditions are satisfied. To ensure the 
first condition, we need to exclude at most one choice each for e. To satisfy the fourth condition, for a 
fixed choice of a, we need to exclude at most deg(a — 2) < deg(pm)/2 choices for e. This is because for 
each monic irreducible polynomial £ dividing a — 2, there is at most one e £ F^ such that — depm = 0 
mod i. For if there were two, then I would divide Pm-, which is an irreducible polynomial of degree higher 
than deg(£). To satisfy the third condition, for a fixed choice of a 1, we need to exclude at most 
deg(()m-i) choices for e. This is because for each monic irreducible polynomial £ dividing X4>,t)m-n there 
is at most one e £ F^ such that epm — (a — 1) = 0 mod £. For if there were two, then £ would divide Pm 
in which case restricting to a 1 assures that epm — (a — 1) yf 0 mod £. li 0 ^ 0, to satisfy the second 
condition we need to exclude at most one choice for e which implies 

0 ^ 0=4-15' I > / I “ 1(9 “ deg{hm-i) - deg(p „)/2 - 3)q if deg(p^) is even 

~ \- 1(9 - deg{hm-i) - deg(p„i)/2 - 3)^ if deg(pm) is odd. 

For 0 = 0, the second condition can be satisfied by restricting the count to non zero a[s,^/ 2 j and we get 

0 = 0=4-15 I > / ~ deg(/im-i) - deg{pm)/2 - 2){q - l)/q if deg (p™) is even 

~ \\/l®’pml - 1(9 - deg{hm-i) - deg(pm)/2 - 2){q - l)/y/q if deg(p^) is odd. 

Applying Lemma [53] for 5p^ and assuming q > 2deg(/i)"^, we get 

|{(</>/p^)|(a^,p^,e^,p„)£5p^}|> |Fp.l|Fp"^|. 

The probability that 0(F(,) is A-cyclic and deg{h) — deg{h — Ann((/)(F(,))) = |"s;i/2] conditioned on 
being A-cyclic is hence at least 

^ _ deg(/t) 

^/q 

By induction ((>(F[,) is A-cyclic and deg(/i) — deg{h{t) — Ann{cj){¥t^))) = |"s/i/2] with probability at least 

deg(fe) \’" ^ ^ _ mdegjh) ^ ^ _ deg(/t)^ 

y/Q J ~ ~ 

which is lower bounded by a constant since q> 2 deg(/i)"'^ and the theorem follows. □ 
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3.1. Order Finding in Finite Drinfeld Modules. We sketch a Montecarlo randomized algorithm to 

compute Ord{a) with probability arbitrarily close to 1 in (log+ n^“''°*^^^(logg)^) 

timqj- The algorithm works for every (p with reduction at f) and every a G (j){¥fi)- Fix a (() with reduction 
at [} and an a G '('(Ff,). Compute the minimal polynomial of the linear sequence {U{4)l{a)), j G Z>o} 
where W : F(, —>■ F^ is a random F^ linear map. The minimal polynomial of the linear sequence divides 
Ord(a) and with probability at least half equals Ord(a). Hence the least common multiple of the minimal 
polynomials of the resulting linear sequences of 0(log((5)) independent trials is Ord(a) with probability 
at least 1 — 5. For a trial, the minimal polynomial of a sequence can be computed in log q) time 

using the fast Berlekamp Massey algorithm given the first 2 deg{h) — 1 elements in the sequence. Hence 
the critical step is the computation of 

(3.4) 

for a randomly chosen U. This is virtually identical to the automorphism projection problem of Kaltofen- 
Shoup. The difference being that the Frobenius endomorphism modulo f) is replaced by the Drinfeld 
endomophism (pt modulo (). In Kaltofen-Shoup apart from being an Fg linear endomorphism of F^^, the 
only property of the Frobenius exploited is that T{t mod f)) can be computed in 0(n^“''°*^^^(logg)^) time 
using the vonzur Gathen-Shoup algorithm. To adapt the automorphism projection algorithm of Kaltofen 
and Shoup [KS98| [§ 3.2] to apply in our setting, we merely have to demonstrate how to efficiently compute 
ptit mod [}) given 1), mod f) and mod [}. Since 

pt{t mod [)) = mod f) + r(t mod[))+T^(t modi)), 

we can compute pt{t mod [}) in 0(n^“'"°*^^)(log(7)^) time with three Frobenius powers and two additions 
modulo h thereby making the Katofen-Shoup algorithm applicable to our setting. 

3.2. Obtaining the Complete Factorization from a Factor Finding Procedure. In this subsec¬ 
tion, we prove that given access to a blackbox 7) that takes as input a square free f G A and outputs an 
irreducible factor, there is an 0(n^/^+°(^)(log(7)^“''°*-^^) expected time algorithm T to factor a polynomial 
of degree n over Fg into its irreducible factors. Further, this algorithm makes at most calls to T). 
Thereby, Corollary 1 1.31 would follow from Theorem ll.il 

Without loss of generality, assume that the input h G A io T is square free and of degree n. Ob¬ 
taining the factorization of h by extracting one irreducible factor at a time using T) could in the worst 
case take Q{^/n) calls to V. A faster alternative is to use the Kaltofen-Shoup algorithm with fast modular 
composition to extract small degree factors of h and then invoke V to extract the large degree factors 
one at a time. In particular, using [KU081 Lem 8.4, Thm 8.5], extract all the irreducible factors of h of 
degree at most in (logexpected time. The remaining irreducible factors of h 

each have degree at least . Hence there are at most irreducible factors of h remaining and the 

complete factorization of h can be obtained by extracting a factor at a time with at most calls to D. 

Remark 3.7. Kaltofen and Shoup |KS98[ § 3.1] through the blackbox Berlekamp algorithm |KL94] reduced 
polynomial factorization in time nearly linear in degree to two problems that are transposes of each 
other, namely automorphism projection and automorphism evaluation. Being transposes, a straight 
line program that computes Fg linear forms in the input for one would in linear time yield a straight 
line program for the other of the same complexity. In particular, there is nearly linear polynomial 
factorization algorithm if there is a nearly linear time Fg linear solution to the automorphism projection 
problem. Our order finding problem is no harder than automorphism projection. We hence arrive at the 
stronger assertion that polynomial factorization is reducible to automorphism projection. In particular. 


^We may replace (1 +u})/2 with a;2/2, where lJ 2 is the exponent of n X n by n X matrix multiplication (see IKUOSI ). 
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no assumptions on the linearity of automorphism projection algorithm is made. We must however 
remark that the automorphism projection we consider (see equation 13.4[) is broader than that stated in 
[KS981 § 3.2] where only the Frobenius automorphism is considered. 

3.3. Degree Estimation Using Carlitz Modules. The degree estimation algorithm framework also 
gives rise to variants where there is no randomization with respect to the choice of Drinfeld modules. In 
fact, the following deterministic example from the author’s Ph.D thesis [Narl4] using Carlitz modules 
(rank 1 Drinfeld modules) partly motivated the randomized version. The Carlitz module based algorithm 
is suited to the case when the characteristic of Fg does not divide the number of factors of the smallest 
degree. 

Example 3.8. Factor Degree Estimation using Carlitz Modules. 

Input : Monic square free reducible polynomial h G A. 

(1) Choose the Carlitz module (p (the rank 1 Drinfeld module (p with = 1 and = 0). 

(2) Compute 

(3) Output: deg(h)-deg(h-X 0 ,())- 

In |NarI4) it is shown that the output is exactly Sh provided the number of factors of degree Sh is not 
divisible by the characteristic of Fg. This is true since for the Carlitz module p, for all prime ideals p C 
X<t>,p = P — 1 where p is the monic generator of p. 

Curiously for the Carlitz module p, finding X 4 >,h is easily seen to be no harder than factoring h. Com¬ 
puting X 4 >,h is linear time reducible to factoring h since given the factorization of h, it is trivial to write 
down Xrl>,h in 0(deg(/i) log g) time. 

4. Factorization Patterns of Polynomials in Small Intervals 

Our analysis of the Drinfeld module analogue of the black-box Berlekamp algorithm relies on the degree 
distribution in factorization patterns of polynomials in short intervals which we study in this section. 

For a partition A of a positive integer e, let Cx ■= {o G S'e|Acr = A} denote its conjugacy class where Se 
is the symmetric group on e elements and Ao- is the partition of e induced by the factorization of a into 
disjoint cycles. Let P{X) '■= |C'A|/|5'e|. For a polynomial f G A, let A(/) denote the partition of deg(/) 
induced by the degrees of the irreducible factors in the factorization of / in A. 

For f G A and a positive integer m < deg(/), define the interval around / corresponding to the de¬ 
gree bound m as 

Im(/) := {/ + aja G A, deg(a) < m}. 

For IgA where each polynomial in I is of degree exactly d > 1 and a partition A of d, define 

Bq{I, X) := {a G I\X{a) = X} and TTgil, X) := \Bq{I, X)\. 

Bank, Bary-Soroker and Rosenzweig [BBR14| recently proved the following theorem when the field size 
q tends to infinity while d is fixed. 

Theorem 4.1. / ]BBR141 Thm 1]^ For all monic f G A of fixed degree d, for all positive integers 
2 < m < d and for all partitions X of d, 

TTq{Xm{f),X) ^ P{X)\Ini{f)\ OS Q^OO. 


It is widely conjectured (see [BBR14] 1 that 
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Conjecture 4.2. For all monic f G A of degree d such that 3 < c? < y^/2 and for all partitions A of d, 

7r9(Im(/), A)--P(A)|Xm(/)| as / oo. 

In the next subsection § 14.11 by applying an effective Lang-Weil bound to the argument in [BBR14j , we 
prove an effective version of Theorem 14.11 that holds for logq > 5dlog(d). 


4.1. A High Dimensional Variant of the Function Field Chebotarev Density Theorem. Let E 

denote the rational function field Fq(<i,..., tm) in the m indeterminates ti,..., tm- Let F/E be a finite 
Galois extension of E. Fix an algebraic closure F, of ¥q and let 

a : Gal{F/E) Gal{(^q n F)/F,) 

denote the restriction map. Let V = Spec{¥q[ti,... Am]) and let Vur{¥q) C F(Fq) denote the subset 
of Fq rational places in V that are etale in the extension F/E. Let Op denote the integral closure of 
Fq[ti,..., tjn] in F and let W = Spec{OF)- For a place GW lying above a place p gV that is etale in 
F/E, let (723 S Gal {F/E) denote its Artin symbol. For a place p GV that is etale in F/E, let 

0p := {(7(81*8 G IF, *8|p} C ker(a) 
denote the conjugacy class of Artin symbols above p. 


Lemma 4.3. If q> 2{m + 1)[F' : E]'^, for every conjugacy class 0 C ker{a), 


IIP G P„.(F,)|0p = 0}| - 


| 0 | 


|A:er(a)| 


< 


| 0 | 


|A:er(a)| 


^rn 

([F : E\ - 1)([F : E\ - 2)^ 5[F : ) . 

V? 


Proof. Fix a conjugacy class 0 C ker{a) and let 17 := (p G Fur(Fq)|0p = 0}. 


Let p : W —)> V denote the norm map from W down to V. Applying [Bar 12] [Prop. 2.2] to (V,W,p, 0) 
implies the existence of a smooth irreducible affine F^-variety W and a finite separable morphism 
77 : W —> V such that 

(i) 7r{W) = U, 

(ii) deg(7r) = |fcer(Q!)|, 

(hi) Vp G U, |t-1(p) n W(F,)| = |fcer(a)|/|0|. 

Since tt : W —>■ V is finite, W and V have the same dimension, namely m. Further, W and W are twists 
of each other [Barl2| . As a consequence, W and W have the same degree, namely [F : E], 


Bounding the size of W{¥q) using an effective Lang-Weil bound [CM06| . 

|1F(F5)| - g™ < {[F : E] - 1)([F : E] - 2)^ -f 5[F : 

V9 

Since 7r(W) = U and Vp G U, |7r-i(p) n W{¥q)\ = |fcer(a)|/|0|, |VF(F,)| = 


\u\- 


| 0 | 


|fcer(a)| 


< 


9R - |0| 


((IF : F| - 1)([F : F] - 2)^ + 5[F : ) . 


□ 


Theorem 4.4. For every positive integer m > 2, for every monic f G A of degree greater than m and 
for every partition A of deg{f), i/logg > 5deg(/) log(deg(/)) then 

|7r,(I,^(/),A)-P(A)|X„(/)|| < ip(A)|X™(/)|. 
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Proof. Fix a monic non constant polynomial f G A oi degree at least m and let 

m 

i=l 

Since the indeterminate Xi only appears in J^f as the linear term xi, Tf is absolutely irreducible and 
separable in t. Thus the splitting field F/ of J"/ over E = ¥q{xi, ..., Xm) is Galois. We will shortly apply 
Lemma IT751 to the extension Ff/E. Before doing so, we argue that Ff/E is a geometric extension. 

The splitting field of Tf over Fq(xi,..., Xm) is the composite Ff.Wq and we have 

Gal{Ff.¥q/¥q{xi, . . .,Xm)) = Gal{Ff.¥q/¥q[xi,. . .,Xm)) < Gal{Ff/E) < 5'deg(/). 

By [BBR14] [Prop 3.6], Gal{Ff .¥q/¥q{xi,.. .,Xm)) = 5'deg(/) 

=> Gal{Ff.¥q/¥q{xi,... ,Xm)) = Gal{Ff/E) = S'deg(/) => F/ nF, = F^. 

Hence Ff/E is a geometric extension. Since Gal{Ff fl F^/Fg) is trivial, the restriction map 

af : Gal{Ff/E) —^ Gal{Ff n¥q/¥q) 

has kernel 

ker{af) = Gal{Ff/E) ^ 5'deg(/). 

Since Gal(¥q/¥q) = (r) = Z where r is the power Frobenius, homomorphisms from Gal{¥q/¥q) to 
5'deg(/) are parametrized by the permutations in they map r to. That is, a G Sdeg{f) corresponds 

to 9cr G 7Fom(Gal(Fg/Fq), S'deg(/)) that takes r to a. 


Fix a partition A of deg(/). For the conjugacy class 0 a := 
(4.1) 

|ker(a)| |S'deg(/)l 

where the first equality follows from the fact that ker{a) 
equality follows from the definition of F’(A). 


{9a\(T G Gx} C ker{a 
= P(A) 


— ^deg{f) and |0 a| 


f)^ 


I^^aI 


and the second 


Equation 14.11 together with Lemma 14.31 applied to the extension Ff /E yields 
||{p G VurA¥q)\e, = 0 a}| - P(A)g™| < 2PiX)[Ff : 

where 14r,/(Fg) C t4(Fg) is the set of Fg-rational places in E that are etale in Ff. Identifying E(Fg) 
with A'"(Fg), a prime p = (oi,..., Om) G 14r,/(Fg) has 0p = 0 a if and only if A(P/(ai,..., am,t)) G Gx 
f |Barl21 Lem 2.1]). Thus 

ll{(ai,... ,a„) G Vurji¥q)\X{TfA,..., am,x)) = A}] - P{X)q^\ 

< P{X) (^(deg(/) - l)(deg(/) - 2)^ + 5deg(/)i3/3g—. 

For q > 20deg(/)3, 

(deg(/)-l)(deg(/)-2) 5deg(/)i3/3 ^1 

g - 2’ 

^ < ^^1I™(/)1 +<“(!„(/),A) 

where 

7r™(I^(/), A) := {(ai,... ,a„) G E(Fg) \ K../(Fg)lA(P/(ai,..., a^,a;)) = A}] 
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accounts for ramified primes with the factorization pattern corresponding to A. The ramified part 
7r™(Im(/), A) is bounded by the number of Fg points in the variety defined by the discriminant € 

Fg[a;i,... ,Xm] of Tf with respect to t. By expressing At{Tf) as the resultant of Tf and its derivative 
with respect to t, we see, deg(At(J'/)) < 2[Ff : E\ — 1. Applying an effective version of the Lang-Weil 
bound |CM06) . 7r™(Tm(/), A) turns out to be negligible in our computation. 

Since [Ff : E] = deg(/)!, for logq > 5deg(/) log(deg(/)), 

ip(A)|I™(/)| < ^g(I™(/),A) < ^P(A)|I™(/)| 

and the theorem follows. □ 

Remark 4.5. Recent break through algorithms for discrete logarithm computation [,Tou][BG,TT) over a 
small characteristic finite field (say Fj.d) have the following initial polynomial search step. Given r and 
d, search for hQ,hi G Fr 2 [t], each of degree 2 such that the factorization of hiF — ho over Fr 2 [t] has 
an irreducible factor of degree d. The search is known to succeed only under heuristic assumptions. If 
Theorem 14.41 were true for q> {n — 1)^, then as a corollary (by setting q = r^, f = and m = 2), the 
search provably succeeds (even when hi is fixed as hi = t) without making any heuristic assumptions. 
More generally, if Theorem 14.41 holds for q > cirF'^ for some positive absolute constants ci,C 2 , then the 
heuristic assumptions in the polynomial selection step (with appropriate modifications) may be removed. 

5. Drinfeld Module Analog of Berlekamp’s Algorithm 

We motivate the Drinfeld module analog of Berlekamp’s algorithm with a brief description of Lenstra’s 
algorithm for integer factorization. Pollard’s p-1 algorithm [Pol74) is designed to factor an integer that 
has a prime factor modulo which the multiplicative group has smooth order. Say for instance that a 
positive integer n has a prime factor p such that every prime power factor of p — 1 is bounded by b. 
The algorithm proceeds by choosing a positive integer B as the smoothness bound and computes m, the 
product of all prime powers bounded by i3. A positive integer a < n is then chosen at random. Assume 
a is prime to n for otherwise gcd(a, n) is a non trivial factor of n. If B > 6, since p — I divides m, 

a™ - 1 = (aP-i)™/(P-i) -1^0 mod p ^ p I a™ - I 

and gcd(a"’' — I, n) is likely a non trivial factor of n. 

The running time is at least exponential in the size of B. For typical n, B needs to be as big as the 
smallest factor of n and thus the running time is typically exponential in the size of the smallest factor of n. 

Lenstra’s elliptic curve factorization algorithm [Len87) factors every n in (heuristic) expected time sub¬ 
exponential in the size of the smallest factor p of n. A key insight of Lenstra was to substitute the 
multiplicative group (Z/pZ)’^ in Pollard’s p-1 algorithm with the group E{¥p) of Fp rational points of a 
random elliptic curve E over Fp. The running time depends on the smoothness of the group order |if(Fp)| 
for a randomly chosen E. The Basse-Weil bound guarantees that ||if(Fp)| — (p-1- 1)| < 2y/p and Lenstra 
proved that his algorithm runs in expected time subexponential in the size of p assuming a heuristic on 
the probability that a random integer in the interval [p -|- 1 — 2y^, p -I- 1 -I- 2^/p] is smooth. 

Our algorithm can be thought of as an analogue of Berlekamp’s algorithm wherein the Frobenius ac¬ 
tion is replaced with a random rank-2 Drinfeld action; much like Lenstra’s algorithm is an analogue 
of Pollard’s p — 1 obtained through replacing the multiplicative group modulo a prime with a random 
elliptic curve group. Before outlining the algorithm, a few remarks regarding notation are in order. For a 
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positive integer 6 , we call a polynomial 6 -smooth if all its irreducible factors are of degree at most 6 . For 
a Drinfeld module (j) (with reduction at primes dividing ()) and /3 G (()(F|j), by gcd(/3, 6 ) we really mean 
the gcd of h and a lift of /3 to A. 

Drinfeld Module Analogue of the Black-box Berlekamp Algorithm. 

Input : Monic square free reducible polynomial h G A. 

(1) Pick a smoothness bound 6 > 1. 

(2) Choose a Drinfeld module (j) at random by picking G A and G A'^ each of degree less than 
deg( 6 ,) independently and uniformly at random. 

(3) Choose a random non zero a € and compute Ord(a). 

(4) Find a monic b-smooth factor f of Ord{a) (if one exists). 

(5) Output: gcd{(j)Ord(ct)/is likely a non trivial factor of h. 

There is flexibility on how the smooth factor / is determined once 6 is chosen. One extreme is to set / 
to be the largest 6 -smooth factor of Ord{a). The other, is to further factor the largest 6 -smooth factor 
of Ord{a) (recursively or by other means) and to set / to one of the 6 -smooth irreducible factors of 
Ord(a). A rigorous analysis of the former choice with 6 = 1 is in § 15.11 An informal discussion of why 
the algorithm is likely to succeed with the latter choice follows keeping in mind that 

~ 0 (/)(Fp,) , X 0 .Pi - l)/e 0 ,p.,Vi. 

i 

For d > 0, a random polynomial of degree d has a linear factor with at least constant probability. Assume 
the plausible hypothesis (which is for large q true by Theorem 11.411 that for every i, the probability 
of a polynomial in the interval ^Pi • — {pi + a \ a G A, deg(a) < deg(pi)/2} around pi possessing a 
6 -smooth factor roughly equals the probability of a random polynomial of degree deg(pi) possessing a 6 - 
smooth factor. This smoothness hypothesis along with the equidistribution of characteristic polynomials 
leanation l 2 . 1 |) suggests it is likely for every 6 > 0 that there exists a j such that X^.pj = — — 

has a 6 -smooth factor. Since Ann{(j){¥p.)) divides x(^^'(®’p,j)), it is thus likely that Ann(0(F[,)) (which is 
the least common multiple of {Ann{(j){¥p^))}i) has a 6 -smooth factor. Assuming that is the case, since 
a is chosen at random, with probability at least 1 — 1 /q there is a monic 6 -smooth polynomial dividing 
Ord{a). The algorithm picks one such monic irreducible factor / of Ord{a). The fact that the reduction 
of (/) at f) is random and equidistribution of characteristic polynomials (equation 12 . 11 ) imply the likely 
existence of k such that f{t) does not divide X^.p^- Consequently 

</'Ord(a)//(a) = 0 mod pfe , (fordia)/fi^) 4^ 0 mod p, 

i^k 

and thus gcd{(l)Ord{a)/fict), h) is likely a non trivial factor of h. 

The computation of Ord{a) can be performed efhciently through linear algebra as discussed in § 13.11 
This is in stark contrast to the integer analog, where finding the order of an element in the multiplicative 
group modulo a composite appears hard. A consequence is that unlike Lenstra’s algorithm, our success 
probability is reliant not on X 0 ,p being smooth but merely on it possessing a smooth factor. The running 
times are thus bounded by a polynomial in the problem size. 

5.1. Drinfeld Module Analogue of Berlekamp’s Algorithm With Linear Smoothness. In this 
section we formally state and analyze the version of the Drinfeld analog of blackbox Berlekamp algorithm 
where the smooth factor chosen is the product of all linear factors of the order of a randomly chosen 
element in (()(F|,). 
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Algorithm 5.1. 

Input : Monic square free reducible polynomial h £ A of degree n. 

(1) Choose a Drinfeld module (j) by picking g^ £ A and £ A^ each of degree less than deg{h) 
independently and uniformly at random. 

(2) //gcd(A^, h) ^ 1, output it as a factor. Else (f has reduction at primes dividing f) and we proceed. 

(3) Choose a £ at random and compute Ord{a). 

(4) Compute f = gcd(t'^ — t, Ord{a)). 

(5) Compute (j)Ord{a)/f (a)- 

(6) Output: gcd{h,(j)Ord(a)/f{a))- 

The running time of the algorithm is dominated by steps (3) and (5). As in S I3.1I . step (3) can be per¬ 
formed with -I-n^“''°^^^(log g)^) expected time by adapting the automorphism 

projection algorithm of Kaltofen-Shoup. Step (5) poses the transpose problem of step (3) and can be 
performed in identical expected time as step 3 by the transposition principle (see |KS981 § 3.2]). 

The rest of the section is devoted to showing that algorithm 15.11 outputs a non trivial factor of h with 
constant probability. In fact, we prove something stronger in Lemma l5.2l bv showing that there exists pos¬ 
itive constants ci and C 2 such that for every factor pi of 1), pi divides gcd(/i, 4’Ord{a)/ f{od)) with probability 
at least ci and pi does not divide gcd(h, 0(5rd(a)//(Q^)) with probability at least C 2 . As a consequence, 
not merely a factor but the complete factorization of h can be obtained by recursing the algorithm with 
recursion depth bounded by 0((logn)^) (see |KS981 § 3]). 

Lemma 5.2. There exists positive a constant c such that, for q odd and logg > 5nlogn, at the termina¬ 
tion of alaorithm \5.1[ for every prime factor p of i) with monic generator p, p divides gcd{h, (ford^a)/f{ot)) 
with probability at least c and p does not divide gcd(/i, (ford{a)/f{ot)) with probability at least c. 

Proof. Fix a prime factor p of f) with monic generator p. Assume g is odd, logg > Snlogn and let 
Sin ■■= {(a,e) £ Ax F^j deg(a^ - Aep) = deg(p), gcd(t« - t,p- (a - l)/e) = 1}, 

Sout ■■= {(a,e) £ Ax F^j deg(a^ - 4ep) = deg(p),gcd(C -t,p- (a - l)/e) ^ 1}. 

Let A denote the set of partitions of deg(p) that contain 1 and let A denote the set of partitions of deg(p) 
that do not contain 1. 

Since deg(a^ — 4ep) = deg(p) is always true when deg(p) is odd and deg(a) < 2deg(p), by Theorem 
14.41 it follows for deg(p) odd that 



When deg(p) is even, since the characteristic of Fg is assumed odd, we can enforce deg(a^ — 4ep) = deg(p) 
by restricting the choice of e to ensure 4e is not a square in F^ and picking a £ A arbitrarily of degree at 
most deg(p)/2. There are at least (g — l)/2 such choices for e and applying Theorem 14.41 once for each 
such choice we get for deg(p) even and Fg of odd characteristic. 
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2\S,ut\> (E^w) 


\xeA 


The number of permutations in 5'(jeg(p) with no fixed points is |"deg(p)!/e] if deg(p) is even and 
[deg(p)!/ej otherwise. Thus 


deg(p)! 


agA ' ' -^ga 

and there exists positive constants bi , &2 such that 

E PW ^ E ^ ^ 2 - 

-^ga xeA 

Applying Lemma [27^ once each to Sin and 5'out, there exists positive constants di and d 2 such that, 

{(</'/p)l(a0.p.e0,p) e S,n} > di|Fp||F^|, 


{(</>/p)|(a^.p,e^.p)G5o.t}>d2|Fp||Fp^|. 

Since gcj, € A and G are each chosen of degree less than deg{h) independently and uniformly at 
random and gcd(A 0 ,ft,) = 1, by the Chinese remainder theorem {g^ mod p, A^ mod p) is distributed 
uniformly in Fp^ x Fp^. Thus the probability that Ann(^(Fp)) has a linear factor is at least di and 
the probability that Ann{(j){¥p)) does not have a linear factor is at least d 2 . Since the projection of a 
random a G (/)(F(,) into (/)(Fp) has order Ann((/)(Fp)) with probability at least (1 — 1/q) > 1/2, the lemma 
follows. □ 


Remark 5.3. If g < 5nlogn, we may work over a finite extension F^/Fg such that q' > Snlogn and by 
Lemma 15.21 be assured that the algorithm 15.11 succeeds, however, we incur an extra factor of n in the 
expected running time. If Conjecture 14.21 is true, then Lemma 15.21 holds with only the requirements that 
q is odd and ^/q > 2n. The assumption ^/q > 2n may be made without loss in generality lRemark l3.2ll . 
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